RPC over HTTPS on server 2003
RPC over HTTPS on server 2003
cas v1.0
-Create the certificate for use on IIS and IE on the client
Use any Linux box with openssl installed and run the following:
Make sure that the common name is the name of the rpc proxy (or internet facing PC eg the firewall and not the internal netbios name of the Exchange server)
openssl genrsa -des3 -rand /etc/hosts -out smtpd.key 1024
chmod 600 smtpd.key
openssl req -new -key smtpd.key -out smtpd.csr
openssl x509 -req -days 3650 -in smtpd.csr -signkey smtpd.key -out smtpd.crt
openssl rsa -in smtpd.key -out smtpd.key.unencrypted
mv -f smtpd.key.unencrypted smtpd.key
openssl req -new -x509 -extensions v3_ca -keyout cakey.pem -out cacert.pem -days 3650
openssl pkcs12 -export -in smtpd.crt -inkey smtpd.key -out naledi.p12 (you can call it anything)
On the server, use IIS - default website – directory security to import this certificate from a file.
On the client, use IE and import this into the Trusted Root Certification Authorities.
Also, install the certificate on the server by right clicking on the file and selecting install. Enter the default password that was assigned when the certificate was made (normally tttt).
Then when viewing the certificate in IIS on the server it should now show that it is intended for the following purposes:
All issuance policies
All application policies
If the certificate, when viewed says something like “This has been revoked”, then remove the certificate from “Untrusted Publishers” in the certificate section of IE.
-Configure the exchange server to use RPC over HTTPS
Go to Add/Remove Programs - Click Add Remove Windows Components - click Networking Services, and then click Details. Click to select the RPC over HTTP Proxy check box, click OK, and then click Next.
Note that you must have either the Windows Server 2003 installation CD ready, or the i386 folder from that CD accessible while installing this component.
-Configure the RPC virtual directory in Internet Information Services
Click the Directory Security tab for rpc, and then click Edit under Authentication and access control.
Click to clear the Enable anonymous access check box.
Click to select the Basic authentication (password is sent in clear text) check box.
You receive the following message:
The authentication option you have selected results in passwords being transmitted over the network without data encryption. Someone attempting to compromise your system security could use a protocol analyzer to examine user passwords during the authentication process. For more detail on user authentication, consult the online help. This warning does not apply to HTTPS(orSSL) connections.
Are you sure you want to continue?
Click yes
Also, set RPC to use SSL and require 128bit encryption
-Configure the RPC proxy server to use the correct ports
Check the following keys in the registry are correct:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\ParametersSystem
Value name: Rpc/HTTP Port
Value type: REG_DWORD
Value data: 0x1771 (Decimal 6001)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters
Value name: HTTP Port
Value type: REG_DWORD
Value data: 0x1772 (Decimal 6002)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters
Value name: Rpc/HTTP NSPI Port
Value type: REG_DWORD
Value data: 0x1774 (Decimal 6004)
The following key you will have to amend
(here using naledi as an example)
ws1=the internal netbios name of the exchange server
fw1.naledi.org.za=the external internet facing machine you will specify as the rpc proxy
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\RpcProxy\ValidPorts
ws1:593;ws1:6001-6002;ws1.naledi.org.za:593;ws1.naledi.org.za:6001-6002;fw1.naledi.org.za:593;fw1.naledi.org.za:6001-6002;ws1:6004;ws1.naledi.org.za:6004;fw1.naledi.org.za:6004
Install the rktools resource kit if not installed in order to check the ports are set up right using
rpccfg /hd which should show:
C:\WINDOWS\rpccfg /hd
Server Name Port Settings
---------------------------------------------------------
fw1.naledi.org.za 593 6001-6002 6004
ws1 593 6001-6002 6004
ws1.naledi.org.za 593 6001-6002 6004
-Configure all your global catalogs to use specific ports for RPC over HTTP for directory services
Click Start, point to Microsoft Exchange, and then click System Manager.
Expand your organization, expand Administrative Groups > First Administrative Group > Servers.
Right-click on your server name and select Properties.
On the General tab, verify that you have SP1 installed. Verify that a tab called RPC-HTTP is present.
On the RPC-HTTP tab, click on RPC-HTTP Back-End Server.
You might get an error:
Exchange System Manager
There is no RPC-HTTP front-end in your Exchange organization. There must be at least one RPC-HTTP front-end server in the organization before the RPC-HTTP back-end server can be accessed.
Acknowledge the error.
You need to reboot your server for the settings to take place.
Configure the firewall to DNAT port 443 to the internal IP address of the Windows box
$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 443 -d 192.168.0.3 -o $INTIF -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d $EXTIP --dport 443 -j DNAT --to 192.168.0.3:443
Client Side
-Add the certificate into IE as described earlier
-Add the RPC profile into Outlook
Open the control panel, double click mail, click proflies, click add, select the netbios name for the exchange server, and on the connection tab under 'more settings', select:
Connect to my Exchange mailbox usng HTTP
Click on Exchange Proxy Settings and enter the external name eg https://mail.igd.org.za and change authentication to 'Basic Authentication'.
Save the profile and test.